Reproducibility
---------------
Packages should build reproducibly, which for the purposes of this
document [#]_ means that given
- a version of a source package unpacked at a given path;
- a set of versions of installed build dependencies;
- a set of environment variable values;
- a build architecture; and
- a host architecture,
repeatedly building the source package for the build architecture on
any machine of the host architecture with those versions of the build
dependencies installed and exactly those environment variable values
set will produce bit-for-bit identical binary packages.
It is recommended that packages produce bit-for-bit identical binaries
even if most environment variables and build paths are varied. It is
intended for this stricter standard to replace the above when it is
easier for packages to meet it.
.. [#]
This is Debian's precisification of the reproducible-builds.org
definition _.

Holger Levsen wrote a blog post
briefly describing the background and implications of this. To quote him: "we are not 94% done yet, rather more like half done or so. We still need tools and processes to enable anyone to indepently verify that a given binary comes from the sources it is said to be coming, this will involve distributing .buildinfo files and providing user interfaces in APT and elsewhere and probably also systematic rebuilds by us and other parties. And 6% or 7% of the archive is still a lot of packages, eg. in Buster we currently still have 273 unreproducible key packages and for a large part we don't have patches yet so there is still a lot of work ahead."

Our long-term goal is that Policy mandates that packages "must" be reproducible, but for that we need to show further progress and also reach a consensus on .buildinfo files and much more.

Reproducible work in other projects
Bernhard M. Wiedemann's reproducibleopensuse
scripts now
work on Debian buster on the
openSUSE Build Service with the latest versions of
osc and
obs-build.
Toolchain development and fixes
#872514 was opened on devscripts by Chris Lamb to add a
reproducible-check program to report on the reproducibility status of
installed packages.
Packages reviewed and fixed, and bugs filed
Upstream reports:

Reviews of unreproducible packages
47 package reviews have been added, 58 have been updated and 39 have been removed in this week,
adding to our knowledge about identified issues.
4 issue types have been updated:

Abstract parts of autopkgtest to support running on non-Debian systems.

Add a --host-distro flag to support that too.

tests.reproducible-builds.org
Mattia fixed the script which creates the HTML representation of our database scheme to not append .html twice to the filename.
Misc.
This week's edition was written by Ximin Luo, Chris Lamb and Holger Levsen & reviewed by a bunch
of Reproducible Builds folks on IRC & the mailing lists.

21 December 2013

I have decided to step down as main maintainer of Lintian and pass the baton to Bastien Roucari s. This is actually fairly old news, since I announced this almost a month ago. However, I was not very vocal about it until now (so do not be surprised if you had not heard of this before).
In the past month, I never once regretted having stepped down. If anything, I should probably have done it a bit earlier. Beyond the lack of motivation, I also realised that I had become an all talk and no do -maintainer. The kind that I have been advocating against publicly. This may sound weird to a lot of people, who knows me as the Lintian guy or Mr. Lintian (or whatever Lintian-related nickname people gave me). But the fact is that Bastien has done more for Lintian in the past month than I have in the past two.
Despite stepping down as main developer, I have not left Lintian completely. I am still around for helping/explaining, uploading and keeping lintian.debian.org running.

21 September 2013

I have just uploaded Lintian 2.5.18 to unstable. While fixing 22 bugs, it only features 5 new tags.

debian-changelog-has-wrong-weekday

debian-rules-missing-good-practice-target-dfsg

empty-udeb-package

file-name-in-PATH-is-not-ASCII

misplaced-extra-member-in-deb

The release also include fixes to some false-positives, such as python:any dependencies triggering python-script-but-no-python-dep, a rewritten README file. We also included a patch to make Lintian accept the Original-Maintainer field by default for non-Debian vendors (even if they do not have a profile and Lintian ends up loading the debian/main profile).
We also added support for running Lintian directly from a git checkout or source tree without setting LINTIAN_ROOT (or passing root). Since that was the primary use-case for root that option has now been deprecated. I also had lintian and lintian-info require the include-dir and [no-]user-dir options as the first if given at all.
I would like to thank Bastien Roucari s, Gaudenz Steinlin, Gunnar Wolf, J r my Bobbio and Lucas Nussbaum for contributing to Lintian and the many who submitted reports or suggestions for improvements. I would also like to thank Brian hugmeir Fraser, who assisted me in identifying and working around a bug in Perl s glob function when run under threads (filed upstream as RT#119897).